Cyber Security Testing Services: A Buyer's Guide (2026)

Penetration testing is one service. Cyber security testing is the broader category. Most teams need a mix, but few buyers actually know the difference between these services until they start procurement and get quoted wildly different prices for what sounds like the same thing.

This guide is for security teams, CISOs, procurement leads, and engineering managers comparing offers from cyber security testing providers. It covers twelve services, from baseline vulnerability assessments through to specialised work like Cyber Resilience Act conformity assessment for product manufacturers. For each: what it is, when you need it, how it differs from pen testing, what to pay, and what to look for in a provider.

For a foundational primer, see our [introduction to penetration testing](/blog/what-is-penetration-testing). For provider selection, see [what to look for in a pen testing company](/blog/what-to-look-for-in-a-pen-testing-company). For pricing, see [how much does a pen test cost](/blog/how-much-does-a-pen-test-cost).

## At a Glance: Twelve Services Compared

| Service | What it tests | Who it's for | Engagement length | Typical cost range | Common accreditations | |---|---|---|---|---|---| | Penetration testing | Specific apps, networks, cloud, mobile, APIs | Most organisations annually | 1 to 4 weeks | $5,000 to $80,000 | CREST, CHECK, OSCP, CRT/CCT | | Vulnerability assessment | Known vulnerabilities across estate | Smaller firms, baseline scanning | 3 to 10 days | $2,000 to $15,000 | CREST, ASV (PCI) | | Red teaming | End-to-end attack simulation | Mature security programmes | 6 to 16 weeks | $50,000 to $400,000+ | CBEST, TIBER-EU, CREST STAR | | Purple teaming | Detection and response capability | Teams with a SOC | 1 to 6 weeks | $15,000 to $80,000 | CREST, GIAC GCFA/GCIA | | Source code review (SAST/DAST/IAST) | Application source and runtime | Software vendors, regulated apps | 1 to 4 weeks | $8,000 to $60,000 | OSWE, OSCE, CSSLP | | Social engineering | People, processes, physical access | Anyone with employees | 1 to 6 weeks | $5,000 to $50,000 | CREST SIM, OSEP | | Threat hunting / compromise assessment | Existing compromise in your estate | Anyone with logs and concern | 2 to 8 weeks | $20,000 to $150,000 | GIAC GCFA, GCIH, GNFA | | Continuous pen testing (PTaaS) | Ongoing application coverage | SaaS, fast-moving engineering | Annual subscription | $30,000 to $250,000 per year | CREST, OSCP | | AI / LLM penetration testing | Models, prompts, agents, RAG | Anyone shipping AI features | 2 to 5 weeks | $15,000 to $90,000 | OSCP plus AI red team experience | | Configuration / architecture review | Cloud, network, AD design | Cloud migrations, M&A | 1 to 3 weeks | $8,000 to $40,000 | CCSP, CISSP, CRTP | | Compliance-driven testing | PCI, HIPAA, ISO 27001, SOC 2 | Regulated industries | 1 to 4 weeks | $5,000 to $50,000 | PCI ASV, QSA, CREST, CHECK | | CRA conformity assessment | Products placed on the EU market | Hardware, software, IoT manufacturers | 3 to 12 weeks | €15,000 to €200,000+ | CREST, OSCE, hardware/firmware specialisations |

## 1. Penetration Testing

A pen test is a controlled, time-boxed exercise where qualified testers attempt to exploit specific systems within a defined scope, run against an agreed methodology (OWASP, PTES, CREST, NIST SP 800-115). The output is a report listing exploitable vulnerabilities with evidence, severity, and remediation guidance.

You need pen testing if you have applications, networks, cloud environments, mobile apps, APIs, IoT products, or wireless infrastructure that have not been validated externally in the last twelve months. Most organisations should run pen tests at least annually for critical assets, and after material changes (new release, new infrastructure, M&A integration). Compliance frameworks (PCI DSS, ISO 27001, SOC 2, Cyber Essentials Plus) treat at least annual pen testing as a default expectation.

### The seven flavours

For depth on each, see our [types of penetration testing](/blog/types-of-penetration-testing) guide. Web application testing is the highest-volume service. Network testing splits into external (perimeter from the internet) and internal (assumed-breach simulation). Mobile testing covers iOS and Android separately and includes the back-end APIs. Cloud testing assesses AWS, Azure, or GCP configuration. API testing has its own discipline, particularly for GraphQL. IoT and embedded testing covers firmware, hardware interfaces, and back-end services. Wireless covers Wi-Fi, Bluetooth, and increasingly LoRaWAN.

### Typical price and accreditations

A simple web app pen test runs $4,000 to $10,000. A complex multi-tenant SaaS platform runs $15,000 to $50,000. External network testing runs $5,000 to $25,000. Cloud assessments start at $8,000 and reach $75,000.

Look for CREST accreditation in the UK and Europe, CHECK status for UK government work, OSCP or CREST CRT/CCT certifications on individual testers. See [CREST vs CHECK certification](/blog/crest-vs-check-certification) for the comparison.

[SECFORCE](/provider/secforce) is a top-tier London-based, CREST-accredited firm with ISO 27001 and a strong reputation for technical depth. [NCC Group](/provider/ncc-group) holds CREST, CHECK, and CBEST and operates at scale. [Pen Test Partners](/provider/pen-test-partners) is the go-to name for IoT and OT. [MDSec](/provider/mdsec) is highly regarded for advanced offensive engagements. In the US, [Bishop Fox](/provider/bishop-fox) and [NetSPI](/provider/netspi) lead the market. [Nettitude](/provider/nettitude), part of Lloyd's Register, is a serious mid-to-large UK provider.

## 2. Vulnerability Assessment vs Penetration Testing

A vulnerability assessment runs automated scanners (Tenable Nessus, Qualys, Rapid7 InsightVM) across a defined estate to enumerate known vulnerabilities, missing patches, and weak configurations, with a skilled analyst typically reviewing the output and removing false positives.

You need a vulnerability assessment if you do not currently have continuous visibility of your patch state. Many organisations run quarterly vulnerability assessments alongside an annual pen test. PCI DSS requires quarterly external scans by an Approved Scanning Vendor (ASV).

### How it differs from pen testing

Vulnerability assessments tell you what could be exploited. Penetration tests tell you what was exploited. A vuln assessment might list 800 findings with CVSS scores. A pen test might confirm that twelve of them, when chained, allow domain admin in three hours. The pen test is more expensive, slower, and more useful as a risk decision input. The vuln assessment is faster, cheaper, and better as a continuous hygiene measure. See our [pen testing vs vulnerability assessment](/blog/penetration-testing-vs-vulnerability-assessment) article for the full comparison.

### Typical price and accreditations

External scanning subscriptions start at $2,000 per year for small estates. PCI ASV scans run $1,500 to $8,000 per year. Internal scanning with analyst review runs $5,000 to $15,000 per quarter for mid-sized organisations. For PCI work, the provider must be a registered ASV. CREST accreditation matters for broader work.

## 3. Red Teaming and Adversary Simulation

Red teaming is intelligence-led, full-scope adversary simulation. Instead of testing a specific application, the red team is given an objective (steal customer data, gain admin to a critical system) and operates across whatever paths a real attacker would.

A red team engagement combines threat intelligence, custom tooling, social engineering, network exploitation, lateral movement, and physical or insider techniques where in scope. The engagement runs over weeks or months, with limited knowledge held by the defending team.

You need red teaming when your security programme is mature enough to have meaningful detection and response capability and you want to test it end-to-end. If your blue team has not built basic logging, EDR, or SOC capability, a red team will simply confirm that obvious. Spend the budget on building defences first.

In financial services, red teaming is increasingly mandated through frameworks like CBEST in the UK (Bank of England regulated) and TIBER-EU across the euro area. DORA's Threat-Led Penetration Testing requirement, which took effect in 2025, brings red team-style testing into the mandatory regime for many EU financial entities.

### How it differs from pen testing

A pen test is bounded by scope and methodology. A red team is bounded only by the objective. A pen test produces a vulnerability list. A red team produces an attack narrative. See [red teaming vs penetration testing](/blog/red-teaming-vs-penetration-testing) for the full comparison and [red team engagement cost vs penetration test](/blog/red-team-engagement-cost-vs-penetration-test) for pricing depth.

### Typical price and accreditations

Red team engagements run $50,000 to $400,000 or more. CBEST and TIBER-EU exercises run €150,000 to €500,000 due to the threat intelligence and replay phase requirements. Look for CBEST accreditation if you are a UK regulated financial entity, TIBER-EU registered status for euro area work, CREST STAR or STAR-FS accreditation, and senior testers with named CBEST, OSCE, OSEP, or GXPN certifications.

[NCC Group](/provider/ncc-group), [MDSec](/provider/mdsec), and [Nettitude](/provider/nettitude) are CBEST-accredited and active in DORA TLPT work. [Bishop Fox](/provider/bishop-fox) and [SECFORCE](/provider/secforce) deliver high-end red team engagements outside the regulated frameworks.

## 4. Purple Teaming

Purple teaming is a collaborative exercise where a red team and a blue team work together, in real time, to test and tune detection and response capability. Instead of the red team trying to evade and the blue team trying to detect, both sides know what is happening and use the exercise to close gaps.

A purple team engagement typically runs through MITRE ATT&CK techniques, with the red team executing each technique while the blue team confirms whether their tooling and processes detect and respond. Where detections fail, tuning happens on the spot. The output is a coverage matrix and a list of detections that were created or improved.

You need purple teaming when you have a SOC, EDR, SIEM, or detection engineering function and want a structured way to validate and improve coverage. Particularly useful after major tooling rollouts (a new EDR or SIEM) where you need to know how good the configuration is.

### How it differs and what to pay

Pen testing finds vulnerabilities. Purple teaming finds detection gaps. Pen testing is adversarial; purple teaming is collaborative. They are complementary, not substitutes.

A two-week purple team engagement runs $15,000 to $40,000. A full ATT&CK-aligned coverage exercise across an enterprise estate runs $40,000 to $80,000. Look for a red team that can also write detections, familiarity with your specific SIEM (Splunk, Sentinel, Elastic) and EDR (CrowdStrike, SentinelOne, Defender), and GIAC GCFA, GCIA, or GCDA certifications on the blue team side.

## 5. Source Code Review and SAST/DAST/IAST

Application security testing extends below the running surface and into the code itself. The category includes manual source code review, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST).

Manual source code review is a senior security engineer reading the codebase, looking for vulnerability classes that scanners miss: business logic flaws, authentication bypass paths, complex injection vectors, race conditions, cryptographic misuse. SAST is automated static analysis (Checkmarx, Veracode, Semgrep, GitHub Advanced Security, Snyk Code) integrated into CI. DAST tests the running application from outside (Burp Suite Pro, Invicti, Acunetix). IAST instruments the running application to find runtime issues with deeper context.

You need source code review for high-risk applications: financial systems, healthcare records, custom cryptography, anything with authentication and authorisation logic. SAST and DAST should be part of any serious software development lifecycle.

### How it differs and what to pay

Pen testing finds what is exploitable from outside. Source code review finds what is wrong in the code, including issues that are not currently exploitable but will be when surrounding code changes. SAST and DAST are continuous; pen testing is point-in-time.

A source code review of a mid-sized application runs $15,000 to $60,000 depending on lines of code and complexity. SAST tooling subscriptions run $20,000 to $200,000 per year. Look for OSWE (Offensive Security Web Expert) and OSCE certifications, demonstrable familiarity with your language stack (a Go review needs a Go reviewer), and CSSLP for senior application security architects.

## 6. Social Engineering Testing

Social engineering testing assesses the human and process layer: phishing simulations, voice-based pretexting (vishing), SMS phishing (smishing), and physical access attempts.

Phishing simulation campaigns send targeted, realistic phishing emails to employees and measure click-through, credential entry, and reporting rates. Vishing engagements have testers call employees and attempt to extract credentials by pretext. Physical engagements involve testers attempting to gain unauthorised access to offices, data centres, or restricted areas, often as part of a broader red team.

You need social engineering testing if you have employees and have not validated your awareness training works. The 2024 Verizon DBIR continued to show the human element involved in around 70 percent of breaches. Compliance frameworks including PCI DSS, ISO 27001, and the NIS 2 Directive treat social engineering exposure as in scope.

### How it differs and what to pay

Pen testing targets technical vulnerabilities. Social engineering targets people and processes. The two often combine in red team work but are commonly bought separately.

A standalone phishing campaign of 500 employees runs $5,000 to $15,000 once. Annual subscription platforms (KnowBe4, Hoxhunt) run $5 to $30 per user per year. Vishing engagements run $5,000 to $20,000. Physical penetration testing runs $10,000 to $50,000 per site. Look for CREST SIM (Simulated Targeted Attack and Response) certification, OSEP, references for industry-comparable engagements, and clear ethical guardrails on physical engagements.

## 7. Threat Hunting and Compromise Assessment

Threat hunting and compromise assessment look for evidence that an attacker is already inside your estate, rather than testing whether they could get in.

A compromise assessment is a structured forensic review of endpoints, identity logs, network telemetry, and cloud audit logs to determine whether your environment shows signs of past or ongoing compromise. Threat hunting is the ongoing, hypothesis-driven version of the same activity, often delivered as a managed service.

You need a compromise assessment after any of: a confirmed peer breach (your sector or supply chain), a near-miss incident, an M&A transaction (assessing the target's environment before integration), or a board-level concern that you cannot conclusively answer. You need ongoing threat hunting if your detection tooling is mature enough that the long-tail of advanced techniques is the threat that worries you.

### How it differs and what to pay

Pen testing assumes you might be breached and tests if you can be. Compromise assessment assumes you might already be breached and tests if you have been. The two answer entirely different questions.

A compromise assessment for a 1,000-employee organisation runs $30,000 to $80,000. For a 10,000-employee enterprise it runs $80,000 to $250,000. Ongoing threat hunting services run $50,000 to $500,000 per year. Look for GIAC GCFA, GCIH, GCFE, and GNFA certifications, EDR forensic capability across your specific tooling, and cloud forensic capability.

## 8. Continuous Penetration Testing / PTaaS

Penetration Testing as a Service (PTaaS) is the modern delivery model that replaces the once-a-year report with ongoing application coverage, combining a platform, on-demand testers, and continuous re-assessment.

A PTaaS engagement typically involves a platform where you can submit scope, view findings as they are reported, manage retesting, and integrate with your ticketing system. Behind the platform sits a roster of testers, often crowdsourced or carefully managed in-house, who run continuous and on-demand testing.

You need PTaaS if you ship product changes weekly or daily and an annual pen test report is out of date the moment it is published. PTaaS also fits organisations with extensive application portfolios where centralised vulnerability management beats individual point-in-time reports.

### How it differs and what to pay

Traditional pen testing is bounded, time-boxed, and report-driven. PTaaS is continuous, platform-driven, and integrates with engineering workflows. The trade-off: PTaaS gives you breadth and continuity; traditional pen testing gives you depth and senior consultant attention to specific scopes.

PTaaS subscriptions run $30,000 to $250,000 per year, scaling with the number of assets and frequency of testing. [Bishop Fox](/provider/bishop-fox) leads the market with their Cosmos platform. [NetSPI](/provider/netspi) is the other dominant player, with their Resolve platform widely used in enterprise. Quality of the platform matters: integrations with your ticketing (Jira, Linear), SDLC visibility, retest workflow. Quality of testers matters more: senior CREST or OSCP-certified, not entry-level crowd.

## 9. AI / LLM Penetration Testing

AI penetration testing is a rapidly emerging discipline focused on the specific vulnerability classes introduced by machine learning models, large language models, and AI-powered features.

An AI/LLM penetration test covers prompt injection (direct and indirect), jailbreaking, output manipulation, training data poisoning, model extraction, RAG (Retrieval-Augmented Generation) injection, agentic attack chains, and MCP (Model Context Protocol) abuse. The test typically combines OWASP LLM Top 10 coverage with bespoke testing for the specific application architecture.

You need AI pen testing if you have shipped any feature backed by an LLM or ML model, particularly if it processes untrusted input (customer-submitted text, scraped web content, retrieved documents) or has any agency (the ability to call tools, query databases, send emails). Most AI features fall into one or both categories.

### How it differs and what to pay

Traditional pen testing methodologies miss most of the AI-specific issues. Prompt injection is not in OWASP Top 10 (it is in the LLM Top 10). RAG injection requires understanding of vector retrieval. Agentic attacks require understanding of tool-calling architectures. The skill set is genuinely different.

A focused LLM pen test on a single application runs $15,000 to $40,000. A complex multi-agent or RAG-based system with extensive integrations runs $40,000 to $90,000. Look for OSCP plus demonstrable AI red team experience, familiarity with the major model providers and frameworks, and sample reports. For a deeper guide, see our [AI/LLM penetration testing buyer's guide](/blog/ai-llm-penetration-testing-buyers-guide).

## 10. Configuration and Architecture Review

Configuration and architecture review is hands-on assessment of how your systems are designed and configured, rather than how they behave under attack.

A configuration review reads through cloud configuration (IAM policies, security groups, S3 buckets, KMS keys), network architecture, identity infrastructure (Active Directory, Entra ID, Okta), container orchestration, and similar areas. The output identifies risk in design and configuration that a behavioural pen test might never reach because it requires specific access or pre-conditions.

You need configuration review after a cloud migration, after an M&A integration, after an Active Directory consolidation, or before any major architectural change.

### How it differs and what to pay

Pen testing is behavioural and external. Configuration review is structural and internal. A pen test might miss an IAM misconfiguration that requires specific role assumption to exploit; a configuration review will flag it on sight.

A cloud configuration review for a single AWS account runs $8,000 to $20,000. Active Directory architecture review runs $10,000 to $40,000. Multi-cloud reviews run higher. Look for CCSP and CISSP for cloud architects, CRTP (Certified Red Team Professional) for AD-specific work, and tooling familiarity (Prowler, ScoutSuite, BloodHound, PingCastle, Purple Knight).

## 11. Compliance-Driven Testing

Compliance-driven testing is penetration testing or vulnerability assessment scoped specifically to satisfy a regulatory or framework requirement.

PCI DSS testing covers the cardholder data environment specifically, including segmentation testing and ASV scans. HIPAA testing covers ePHI-handling systems with specific privacy considerations. ISO 27001 audits include penetration testing as part of the broader information security management system review. SOC 2 audits cover similar ground for service organisations. Cyber Essentials Plus (UK) requires a specific structured assessment. NIS 2 (EU) and DORA (financial services) impose their own testing expectations.

You need compliance-driven testing if you are subject to one of these frameworks, which covers most organisations of any meaningful size. The trick: well-scoped pen testing usually satisfies most compliance requirements as a by-product, so this should not be a separate exercise from your broader testing programme.

### How it differs and what to pay

The methodology is similar to a standard pen test. The scope, evidence requirements, and reporting format differ. PCI DSS, for instance, requires segmentation testing that proves the cardholder data environment is properly isolated; this is not part of every pen test by default.

PCI DSS pen testing runs $5,000 to $50,000 depending on environment complexity. PCI ASV scans run $1,500 to $8,000 per year. ISO 27001 audit penetration testing typically runs $10,000 to $40,000. See [penetration testing for PCI DSS compliance](/blog/penetration-testing-for-pci-dss-compliance) for a deeper look. For PCI, look for an Approved Scanning Vendor designation and Qualified Security Assessor (QSA) credentials. For broader work, CREST or CHECK.

## 12. Cyber Resilience Act Conformity Assessment

The Cyber Resilience Act (Regulation EU 2024/2847) introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market. Penetration testing is now part of a broader conformity assessment regime for hardware, software, and connected device manufacturers.

A CRA conformity assessment covers the product itself, its update mechanism, any back-end services it depends on, the vulnerability disclosure programme, and the SBOM (Software Bill of Materials). For default and Class I products, manufacturers can self-assess against harmonised standards with supporting penetration test evidence. For Class II products (firewalls, IDS/IPS, OS, HSMs, smart meters), third-party conformity assessment by a notified body is required.

You need CRA conformity assessment work if you are a manufacturer placing any product with digital elements on the EU market. The reporting obligations for actively exploited vulnerabilities and severe incidents apply from 11 September 2026. The full conformity assessment regime applies from 11 December 2027. The penalty regime tops out at €15 million or 2.5 percent of global turnover.

For the full regulatory picture see our [Cyber Resilience Act compliance guide](/blog/cyber-resilience-act-compliance-guide-2026). For practical penetration testing scoping, see the [CRA penetration testing checklist](/blog/penetration-testing-cyber-resilience-act-checklist).

### How it differs and what to pay

CRA work is product-focused, not enterprise-focused. It often requires firmware reverse engineering, hardware interface testing (JTAG, UART, SPI, I2C), cryptographic implementation review, and SBOM validation. The deliverables need to map findings to specific Annex I clauses for review by notified bodies.

Default products: €5,000 to €20,000. Class I products: €15,000 to €40,000. Class II products: €30,000 to €80,000, with hardware-heavy products running higher. Critical products: €80,000 and up.

Look for demonstrable IoT and embedded device penetration testing track record, hardware analysis capability (firmware extraction, JTAG, hardware reverse engineering), cryptographic implementation review experience, notified body engagement experience, EU geography for direct engagement with notified bodies, and credentialed testers (OSCP, OSCE, CREST CRT/CCT, plus hardware-specific credentials). [Pen Test Partners](/provider/pen-test-partners) is a leading UK firm for IoT and OT product testing. [NCC Group](/provider/ncc-group) and [SECFORCE](/provider/secforce) operate at the upper end of the regulated product testing market. [MDSec](/provider/mdsec) is well placed for complex Class II products requiring deep firmware and hardware work.

## How to Build a Cyber Security Testing Programme

Most organisations end up buying three to five of the services in this guide. The mix depends on industry, risk profile, and maturity. A reasonable shape for a mid-sized SaaS company looks like: continuous PTaaS for ongoing application coverage, an annual external network pen test, a quarterly vulnerability assessment, an annual phishing simulation programme, and a periodic cloud configuration review. A regulated financial entity adds CBEST or DORA TLPT red teaming. A product manufacturer adds CRA conformity assessment work.

The thread running through all these services is that the right provider matters more than the right service category. A cheap red team is a wasted budget. A poorly scoped CRA test will fail at the notified body. A rushed PCI scan leaves findings on the table.

When evaluating providers, weigh accreditations against named individual testers, sample reports against marketing materials, and case studies against testimonials. Ask for retest terms in writing. Ask whether the people in the sales meeting are the people who will actually run the test. Ask for a methodology document, not just a one-line description.

Our provider directory lists penetration testing companies across the UK, US, and EU with comparable accreditations, services, and reviews. For UK-specific options see our [pen testing companies UK](/blog/pen-testing-companies-uk) shortlist; for the global field see [top pen testing companies](/blog/top-pen-testing-companies).

Cyber security testing is no longer one service that you buy once a year. It is a portfolio of services, each with its own methodology, accreditations, and pricing. Knowing the difference is the first step to spending well, comparing fairly, and ending up with the security outcomes the budget was supposed to buy.